Updated on 2024-03-14 GMT+08:00

Step 5: Test Dedicated WAF Instances

To ensure that WAF can forward your website requests normally, test WAF locally after you add a website to WAF.

(Optional) Testing a Dedicated WAF Instance

  1. Create an ECS that is in the same VPC as the dedicated WAF instance for sending requests.
  2. Send requests to the dedicated WAF through the ECS created in Step 1.

    • Forwarding test
      curl -kv -H "Host: {protection object added to WAF}"{Client protocol in server configuration}://{IP address of the dedicated WAF instance}:{protection port}

      For example:

      curl -kv -H "Host: a.example.com" http://192.168.0.1

      If the response code is 200, the request has been forwarded.

    • Attack blocking test
      1. Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website.

      2. Run the following command:
        curl -kv -H "Host: {protection object added to WAF}"{Client protocol in server configuration}://{IP address of the dedicated WAF instance}:{protection port}--data "id=1 and 1='1"
        Example:
        curl -kv -H "Host: a.example.com" http:// 192.168.X.X --data "id=1 and 1='1"

        If the response code is 418, the request has been blocked, indicating that the dedicated WAF works properly.

Testing the Dedicated WAF Instance and Dedicated ELB Load Balancer

  • Forwarding test
    curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{Private IP address bound to the load balancer}:{ELB listening port}

    If an EIP is bound to the load balancer, any publicly accessible servers can be used for testing.

    curl -kv -H "Host: {Protected object added to WAF}" {ELB external protocol}://{EIP bound to the load balancer}:{ELB listening port}

    Example:

    curl -kv -H "Host: a.example.com" http://192.168.X.Y
    curl -kv -H "Host: a.example.com" http://100.10.X.X

    If the response code is 200, the request has been forwarded.

    If the dedicated WAF instance works but the request fails to be forwarded, check the load balancer settings first. If the load balancer health check result is unhealthy, disable health check and perform the preceding operations again.

  • Attack blocking test
    1. Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website.

    2. Run the following command:
      curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{Private IP address bound to the load balancer}:{ELB listening port}--data "id=1 and 1='1"

      If an EIP has been bound to the load balancer, any publicly accessible servers can be used for testing.

      curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{EIP bound to the load balancer}:{ELB listening port}--data "id=1 and 1='1"

      Example:

      curl -kv -H "Host: a.example.com" http:// 192.168.0.2 --data "id=1 and 1='1"
      curl -kv -H "Host: a.example.com" http:// 100.10.X.X --data "id=1 and 1='1"

      If the response code is 418, the request has been blocked, indicating that both dedicated WAF instance and ELB load balancer work properly.